Email encryption flaw gives hackers full access to your secret messages

Researchers at the Munster University of Applied Sciences discovered vulnerabilities in the Pretty Good Protection (PGP) and S/MIME technologies used to encrypt email. The problem resides in how email clients use these plug-ins to decrypt HTML-based emails. Individuals and companies are encouraged to disable PGP and/or S/MIME in their email clients for now and use a separate application for message encryption. 

Called EFAIL, the vulnerability abuses “active” content rendered within HTML-based emails, such as images, page styles, and other non-text content stored on a remote server. To successfully carry out an attack, the hacker must first have the encrypted email in possession, whether it’s through eavesdropping, hacking into an email server, and so on. 

The first attack method is called “Direct Exfiltration” and abuses vulnerabilities in Apple Mail, iOS Mail, and Mozilla Thunderbird. An attacker creates an HTML-based email comprising of three parts: the start of an image request tag, the “stolen” PGP or S/MIME ciphertext, and the end of an image request tag. The attacker then sends this revised email to the victim. 

On the victim’s end, the email client first decrypts the second part and then combines all three into one email. It then converts everything into an URL form starting with the hacker’s address and sends a request to that URL to retrieve the nonexistent image. The hacker receives the image request, which contains the entire decrypted message. 

The second method is called the “CBC/CFB Gadget Attack,” which resides within the PGP and S/MIME specifications, affecting all email clients. In this case, the attacker locates the first block of encrypted plaintext in the stolen email and adds a fake block filled with zeroes. The attacker then injects image tags into the encrypted plaintext, creating a single encrypted body part. When the victim’s client opens the message, the plaintext is exposed to the hacker. 

Ultimately, if you don’t use PGP or S/MIME for email encryption, then there’s nothing to worry about. But individuals, companies, and corporations who use these technologies on a daily basis are advised to disable related plugins and use a third-party client to encrypt emails, such as Signal (iOS, Android). And because EFAIL relies on HTML-based emails, disabling HTML rendering is also advised for now. 

“This vulnerability might be used to decrypt the contents of encrypted emails sent in the past. Having used PGP since 1993, this sounds baaad (sic),” F-Secure’s Mikko Hypponen wrote in a tweet. He later said that people use encryption for a reason: Business secrets, confidential information, and more.  

According to the researchers, “some” email client developers are already working on patches that either eliminates EFAIL altogether or makes the exploits harder to accomplish. They say the PGP and S/MIME standards need an update, but that “will take some time.” The full technical paper can be read here. 

The problem was first leaked by the Süddeutschen Zeitun newspaper prior to the scheduled news embargo. After the EFF contacted the researchers to confirm the vulnerabilities, the researchers were forced to release the technical paper prematurely.

Emerging Tech

How Super Mario, Magic: The Gathering, and PowerPoint are low-key supercomputers

What if the creators of Super Mario World, PowerPoint, and even Magic: The Gathering had accidentally created tools hiding a general-purpose computer in plain sight? Turns out they have.
Photography

Photographer sues Ariana Grande after she posts his images of her on Instagram

A professional photographer is suing Ariana Grande after she posted photos on Instagram that he'd taken of her. Grande used the post to promote one of her albums, but the photographer says she used the photos without permission.
Computing

ZombieLoad is Meltdown resurrected. Here’s how to secure your PC right now

This year's follow up to Intel's Meltdown and Spectre chipocalypse is the new MDS attack. Four distinct attack methods have been uncovered that could leave your data exposed, but thankfully patches are already available.
Gaming

How to unlock all Nanotrite abilities and amplify the carnage in Rage 2

Rage 2's combat gets even better when using Nanotrite abilities. There are eleven total, seven of which you have to find throughout the wasteland. Not only are these abilities useful to have, but they greatly diversity combat.
Computing

Is Threadripper dead? If so, AMD has made a huge mistake

Think Threadripper is dead? Think again. AMD's flagship CPU line might not be on this year's roadmap, but it's not dead and could well bring some amazing new enhancements when it returns.
Social Media

6 easy ways to archive all of your favorite Instagram videos

Saving Instagram videos should be just as easy as taking a screenshot. So, we've put together a list of the best apps and tools that save your favorite Instagram videos onto your phone or computer.
Product Review

Microsoft’s Surface Laptop 2 launched last year, but already feels old

Released in fall of 2018, the Surface Laptop 2 was competitive at the time but now must deal with new competitors that were announced at CES 2019. How does the popular Surface Laptop 2 hold up six months later?
Computing

Cybercrime gang that stole $100M busted in international effort

A major cybercrime gang that used powerful malware to steal an estimated $100 million from bank accounts has been dismantled following an international effort that spanned six countries.
Computing

G-Sync is a game-changer. These are the best monitors with Nvidia's display tech

Looking for a monitor that plays well with Nvidia GPUs? You need G-Sync and we have picked the best G-Sync monitors available. Take a look and find out which monitor works best for your PC upgrade.
Computing

Microsoft is discounting this Surface Laptop 2 by a sweet $300

Microsoft is offering a nearly 14-inch Surface Laptop 2 with 256GB of storage at a $300 discount until May 18, 2019. The laptop comes with a PixelSense display, and Intel Core i5 processor and a 720p HD camera.
Product Review

Looking for discrete graphics on the cheap? The Acer Swift 3 will do the trick

The Acer Swift 3 is a tweener laptop that’s not quite budget and not quite premium – and it feels and performs accordingly. It manages to hold its own, though, thanks to its discrete GPU.
Computing

The Razer Core X Chroma is the best external GPU you can buy

The third entry in Razer's lineup of external graphics card enclosures, the Core X Chroma, brings together the best of its previous options in a single package. With RGB lighting and extra USB ports, is this the best you can buy?
Computing

Google recalls Titan Security Key due to hijack risk

Google is offering a free replacement for the Bluetooth Low Energy version of the Titan Security Key. A misconfiguration was discovered in the device, though hackers looking to exploit the vulnerability will find it difficult to do so.
Computing

Whether you want to edit, sign, or append, PDFs, these are the best PDF editors

While there are plenty of PDF editor options online, finding a solution with the tools you need can be tough. Here are the best PDF editors for your editing needs, no matter your budget or operating system.